CCI-003230

The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.

Implementation Guidance

The organization being inspected/assessed identifies and documents critical information system functions by performing a criticality analysis for information systems, information system components, or information system services IAW DoDI 5200.44. Criticality analysis is the primary method by which a program identifies mission-critical functions and associated components. Criticality analysis includes the following iterative steps: 1. Identify and group mission threads. 2. Decompose the mission threads into their mission-critical functions and assign them criticality levels. 3. Map the mission-critical functions to the system architecture and identify the defined system components (hardware, software, and firmware) that implement those functions (i.e., components that are critical to the mission effectiveness of the system or an interfaced network). 4. Allocate criticality levels to those components that have been defined. Criticality levels are determined by assessing the relative impact on the system’s ability to complete its mission if the function and associated component fails. Level I is total mission failure, Level II is significant/unacceptable degradation, Level III is partial/acceptable, and Level IV is negligible. Once the program has identified critical functions through the criticality analysis, the program systems engineers and SSEs can use the results along with the vulnerability assessment and threat assessment to determine the risk. The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented information system functions to ensure the organization being inspected/assessed identifies critical information system functions by performing a criticality analysis for information systems, information system components, or information system services IAW DoDI 5200.44.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for identifying critical information system functions by performing a criticality analysis for organization-defined information systems, information system component or information system services at organization-defined decision points in the system development life cycle.

The controls below (if any) were marked by NIST as being related to CCI-003230.